AUSTIN, Texas - Kelly Dowell has been cris-crossing the country lately, taking the fledgling Credit Union Information Security Professionals Association (www.cuispa.org) on its maiden voyage across credit union land. About 135 people attended the first eight CUISPA peer meetings, held in December and January in Las Vegas, the Los Angeles area, San Diego, Houston, Dallas, Austin and Chicago. Others are scheduled in Ohio, New York, San Francisco and Seattle with more on the way, says Dowell, executive director of the new, Austin-based group. "The idea has been to call everybody together and talk about forming this cooperative where everyone can share knowledge and experience on security and regulatory issues," Dowell says. "By the end of the year, we hope to have 50 organized local groups meeting regularly, with about 400 to 500 total members." What Dowell says he's hearing so far includes some common themes: "They're looking at overall strategies to help make their security more effective, manageable and affordable. They're interested in understanding what regulators are interested in and what they should be doing about it. "Business continuity also is a hot issue right now, too, and there's a lot of movement in it, particularly because regulators are suggesting it." In addition to meeting regularly to discuss such areas of mutual concern, the organization hopes to begin such activities as educational conferences and helping credit unions vet vendors. "We're considering creating a third-party vendor certification program of some kind," says Dowell, himself a former president of an IT security provider, "for one thing, because there is no good way right now to evaluate them and credit unions are supposed to, according to NCUA regulations about third parties hosting non-public member information." He says his organization could develop evaluation criteria based on input from what its members need to know and then could go to the vendors each year for the information needed to be certified and re-certified. "There are a lot of those third-party relationships out there, including Visa and core processors and business continuity guys," Dowell says. "The vendors would also benefit because they wouldn't need to provide all this to every individual credit union, which they don't necessarily want to do anyway." Conference plans, meanwhile, already are under way and they probably will begin this summer or fall, Dowell says. "These won't be typical conferences," he says. "Our plan is to offer training and education, not necessarily vendor pitches. Our thinking is that a true educational conference is what our members really want." That's what Tamara Hudson, MIS Director at the $140 million Community Resource Credit Union of Baytown, Texas, likes to hear. After attending the Houston meeting, she says she looks forward to a "variety of credit union members sharing experiences and bringing topics to the table, while having veteran professionals of CUISPA with specific areas of expertise providing guidance down this liquid path of technology." Hudson, who has agreed to host the next Houston meeting, also is attracted to the "CUISPA vision of how credit unions can collaborate on things like security policies, e-commerce security manuals and audit concerns" and says she hopes to get "more information from peers on topics ranging from intrusion invention to mobile branching." Such networking among network experts also will help CUISPA members work more effectively with the increasing complexities of IT security in general, one of its new members says. Out of Their Silos "In reality, most smaller and mid-size credit unions tend to have specific expertise and silo approaches. This means they may have a greater reliance on vendors and third-party expertise for help in other areas, not knowing what direction to take or who to trust," says David Meunier, the new chief information security officer at CUNA Mutual. "Today's efforts to make infrastructures defensible involves multiple technologies and processes assembled in a tiered approach to create the best solution," says Meunier, who attended the CUISPA's first Chicago-area meeting. "For example, anti-virus, OS patching and personal firewalls are only so-so products when individually implemented. But combined they create a very good solution. "What this boils down to is that most IT organizations focus on point security solutions as opposed to developing broad strategic solutions. But there are many technologies and threats to be concerned with and no one person can be an expert in everything," says the new IT security chief at CUNA Mutual. And don't expect the big boys to be bullies. "We were in kind of a unique position because we're much larger than the other credit unions out there, and we may be able to help the smaller ones because they don't have the money and resources and buying power we do," Chad Beert, a security engineer at $4.5 billion Alliant Credit Union, says of the Chicago group. Bill Podborny, Alliant CU's manager of security and business continuity, adds, "I think the most important thing we got out of our first meeting might well have been the contacts we're making. We all run a lot of the same applications and have the same issues . concerns about business continuity and security, and it's good to be in a peer group like this, discussing these issues with people who are each in the same boat." Karen Jorgensen, internal auditor at $430 million Pacific Marine Credit Union in Oceanside, Calif., attended the CUISPA's initial San Diego meeting and said it reminded her of the early days of her own group, the Credit Union Internal Auditors Association. "We began in the late `80s and were just a group of auditors from several credit unions, mostly one-person departments," she says. "We knew we could help one another by sharing audit programs and plans so everyone didn't have to re-invent the wheel." Her group eventually incorporated and began annual education conferences as well as quarterly regional meetings to discuss current issues and techniques of her trade. "The networking is the best part of any of these organizations," Jorgensen says. "Once you know another member's strength, you'll call that person when you're faced with a problem in that particular area of expertise. "It saves time, makes you more aware of your profession and duties, and you make some great friends." The personal aspect also appealed to Meunier at CUNA Mutual. "Being new to the credit union movement, CUISPA will help me better understand credit unions' concerns and enable me to develop relationships with my peers at credit unions," he says. "CUISPA is not only valuable to credit unions, but to CUNA Mutual," he adds. "Credit unions have done many good things that we can learn from and are potentially useful in our environment. "No one person or organization has all the answers, but together we are stronger as one unit than as islands attempting to secure everything alone." As for Dowell personally, the CUISPA founder says, "I'd say it's gone extremely well for me so far. It's difficult at times to get hold of a lot of these people. They're busy IT guys and they field a lot of calls and screen out a lot. "But when they attend a meeting, they understand what it's all about and they get excited about the possibilities." -

[email protected]